Re: [PEN-TEST] Vulnerabilities within MPLS ??

[Joe Hacker <hacker () ONLINE NO>]

> > I have organized several questions to better understand the subject: Are
> > there any big holes that could lead to a security compromise?  What is
the
> > difference between MPLS and MPLS VPN?  I realize that plain MPLS does
not
> > provide confidentiality, integrity, and authentication by itself unless
it
> > is used along with IPSec.  How is the route negotiated between the PE's
> > (provider edge routers)?  Can the route negotiation be compromised in
any
> > manner?  What happens with traffic if one of the PE routers goes
offline?
> >

As I understand MPLS VPN (vs MPLS), the MPLS VPN networks are not visible to
the
global routing table. (Someone stop me if I am talking out of my ass.)

Basically, packets coming from (outside) into routers which carry the MPLS
VPN
have no way of entering it and vica versa. MPLS VPN customers who wish to
access
the Internet, say, can only do so by having a separate leg (dialup, leased
line,
etc) from one of their locations to their (or another) ISP.

Traffic from one VPN cannot move into another VPN (or outside it) unless
there is
a flaw in the implementation, or someone busts into the PE (Provider Edge)
equipment. Since the customer equipment is connected directly to this
equipment,
it is important that the PE is protected against spoofing attacks. On
Cisco's,
this could be implemented by using ip verify unicast reverse-path on
customer interfaces, for example.

Not sure if this answered any of your questions.

-j0e